docs.sendgrid.com
Open in
urlscan Pro
34.237.125.4
Public Scan
Submitted URL: http://url3648.twilio.com/ls/click?upn=u001.Rd-2Fu6oMZ9ZGYtOHSR-2Fjpg-2BQPEfQRY-2FoQNXxTyzyAwdmRyykbDprLtorO-2FQyEgqyyJ2kk...
Effective URL: https://docs.sendgrid.com/ui/account-and-settings/how-to-set-up-domain-authentication
Submission Tags: falconsandbox
Submission: On March 07 via api from US — Scanned from DE
Effective URL: https://docs.sendgrid.com/ui/account-and-settings/how-to-set-up-domain-authentication
Submission Tags: falconsandbox
Submission: On March 07 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET /docs/search
<form method="get" action="/docs/search"><input type="search" name="q" class="docs-nav-mobile__search"></form>POST /docs/submit-feedback
<form action="/docs/submit-feedback" id="feedback" method="POST">
<div class="twlo-modal">
<span class="twlo-modal__close close">
<svg class="icon-close" fill="#233659" height="18" viewBox="0 0 18 18" width="18" xmlns="http://www.w3.org/2000/svg">
<path d="M15 4l-5 5 5 5v1h-1l-5-5-5 5H3v-1l5-5-5-5V3h1l5 5 5-5h1v1z"></path>
</svg>
</span>
<h2 class="twlo-modal__title">Thank you for your feedback!</h2>
<p class="twlo-modal__body"> Please select the reason(s) for your feedback. The additional information you provide helps us improve our documentation: </p>
<input name="star_rating" type="hidden" value="">
<input name="feedback_id" type="hidden" value="">
<input name="page" type="hidden" value="23991">
<input name="page_live_revision" type="hidden" value="527403">
<input name="requested_path" type="hidden" value="/ui/account-and-settings/how-to-set-up-domain-authentication">
<input name="csrfmiddlewaretoken" type="hidden" value="UZOGXkNnUGJVSDZy0WG4BzsNXAWOfrmB6fgqjxXPPMTcwOTgxMTc1Mi41ODkwNDI">
<input name="recaptcha" type="hidden" value="">
<div class="feedback-countries hidden">
<label for="countries">If applicable fill in the countries where you are using Twilio</label><br>
<input id="countries" name="countries" value=""><br>
</div>
<div class="twlo-modal__form">
<div id="feedback-negative-form-fields">
<div class="twlo-modal__form-options">
<input class="twlo-modal__form-options-input" id="feedback-negative-form-option-one" name="negative_first_option" type="checkbox">
<label for="feedback-negative-form-option-one">Missing information or code</label>
</div>
<div class="twlo-modal__form-options">
<input class="twlo-modal__form-options-input" id="feedbac-knegative-form-option-two" name="negative_second_option" type="checkbox">
<label for="feedbac-knegative-form-option-two">Content is confusing or hard to follow</label>
</div>
<div class="twlo-modal__form-options">
<input class="twlo-modal__form-options-input" id="feedback-negative-form-option-three" name="negative_third_option" type="checkbox">
<label for="feedback-negative-form-option-three">Inaccurate or outdated information</label>
</div>
<div class="twlo-modal__form-options">
<input class="twlo-modal__form-options-input" id="feedback-negative-form-option-four" name="negative_fourth_option" type="checkbox">
<label for="feedback-negative-form-option-four">Broken link or typo</label>
</div>
<div class="twlo-modal__form-options">
<input class="twlo-modal__form-options-input" id="feedback-negative-form-option-five" name="negative_fifth_option" type="checkbox">
<label for="feedback-negative-form-option-five">Did not solve my problem</label>
</div>
</div>
<div id="feedback-positive-form-fields">
<div class="twlo-modal__form-options">
<input class="twlo-modal__form-options-input" id="feedback-positive-form-option-one" name="positive_first_option" type="checkbox">
<label for="feedback-positive-form-option-one">Content is easy to follow</label>
</div>
<div class="twlo-modal__form-options">
<input class="twlo-modal__form-options-input" id="feedback-positive-form-option-two" name="positive_second_option" type="checkbox">
<label for="feedback-positive-form-option-two">Solved my problem</label>
</div>
</div>
<div class="twlo-modal__form-options">
<input class="twlo-modal__form-options-input" id="feedback-form-other-option" name="other_option" type="checkbox">
<label for="feedback-form-other-option">Other</label>
</div>
</div>
<textarea class="twlo-modal__textarea" id="feedback-form-text-area" name="comment" placeholder="Suggestions..."></textarea>
<button class="twlo-btn" id="feedback-submit-btn" type="button">Send your suggestions</button>
<div class="twlo-modal__footer">
<div class="talk-to-support">
<h6>
<a href="https://www.twilio.com/console/support/tickets/create" target="_blank" title="Need help? Talk to Support" rel="noreferrer noopener">Need help? Talk to Support</a>
</h6>
</div>
<div class="rc-anchor-pt"> Protected by reCAPTCHA – <a href="https://www.google.com/intl/en/policies/privacy/" target="_blank" title="Privacy" rel="noreferrer noopener">Privacy</a><span aria-hidden="true" role="presentation"> -
</span><a href="https://www.google.com/intl/en/policies/terms/" target="_blank" title="Terms" rel="noreferrer noopener">Terms</a>
</div>
</div>
</div>
</form>Text Content
Skip to main content
English
* 日本語
* English
* Français
* Português (Brasil)
* SearchK
* Login
* Start for Free
*
* Dashboard
* * Choose Your Language
* 日本語
* English
* Français
* Português (Brasil)
Diese Seite ist nur auf Englisch verfügbar. Ihre bevorzugte Sprache ist auf
Deutsch eingestellt.
UI / Account And Settings / How to Set Up Domain Authentication
ON THIS PAGE
* What is Domain Authentication
* Key terminology
* DNS and Domain Setup
* DNS records and email authentication
* Twilio SendGrid's DNS records
* Set up Domain Authentication
* Before you begin setting up your domain
* Manual or automated setup
* Setup steps required for both automatic and manual setup
* Automated domain setup
* Manual setup
* Advanced settings
* Use automated security
* Use a custom return-path
* Use a custom DKIM selector
* Assign to a Subuser
* DNS providers supported by Twilio SendGrid's automated setup
* Migrate from legacy Domain Authentication (Domain Whitelabel)
* Additional resources
HOW TO SET UP DOMAIN AUTHENTICATION
Setting up domain authentication is a critical step when establishing your
Twilio SendGrid account. This process is essential for ensuring the optimal
deliverability of your emails. Domain Authentication not only enhances your
email delivery rates but also boosts trustworthiness with both email inbox
providers and your recipients.
This page provides insights into Twilio SendGrid's Domain Authentication
process, focusing on domain setup and the verification of sending email servers'
legitimacy through DNS entries. It's important to note that while this
documentation discusses Twilio SendGrid here, the requirements and best
practices for setting up domains and ensuring email deliverability are
applicable to all reputable email delivery services.
This page guides you through Domain Authentication setup. Domain setup is a
crucial step in sending affective email campaigns. If you're already familiar
with Domain Name System (DNS) records, you may want to skip to the setup
instructions.
If you're less familiar with DNS or email-specific DNS records, the following
sections will help you understand why Domain Authentication is necessary and how
it helps protect the reputation of your domain when sending email.
In December 2023, SendGrid added a basic Domain-based Message Authentication,
Reporting & Conformance (DMARC) record to the DNS records page in the console.
By following the steps below and adding this to the records hosted by your DNS
provider, your organization will be able to meet the DMARC requirement set by
Gmail and Yahoo!. These inbox providers will temporarily block email that does
not meet the new requirements beginning February 2024 and reject this mail
beginning April 2024. If your organization uses a different DMARC policy, Twilio
SendGrid recommends you keep that policy in place as any valid DMARC record
meets these requirements.
WHAT IS DOMAIN AUTHENTICATION
When sending email, you must set Domain Name System (DNS) records on the domain
to:
1. Communicate to receiving email servers that you own the domain the email was
sent from.
2. Verify that you have given the sending email server permission to send email
on behalf of the domain.
Domain Authentication, formerly known as Domain Whitelabel, is Twilio SendGrid's
process for domain setup and setting the DNS entries that grant us permission to
send email on your behalf. Once you have completed Domain Authentication by
following the instructions on this page:
* Your recipients will no longer see "via sengrid.net" beside the from address
of your messages.
* Both receiving email servers and human recipients will be more likely to
trust the legitimacy of your messages, which means you're more likely to
reach an inbox than a spam folder.
KEY TERMINOLOGY
Having a high level understanding of the following terms will help as you learn
more about email deliverability. However, you do not need to become an email
deliverability expert to send email with Twilio SendGrid. If you wish to
continue with Domain Authentication setup, skip ahead to the setup instructions.
DNS AND DOMAIN SETUP
As mentioned earlier, Domain Name System (DNS) records are essential to
verifying which email servers are allowed to send email on behalf of your
domain. DNS is a naming system for domains on the internet. It resolves domains
humans can remember, like sendgrid.com, to IP addresses that belong to specific
computers.
There are several types of DNS records. An A record points a domain directly to
an IP address where requested resources can be found. However, some records,
such as CNAME records, link a domain to another domain or "host." Other records,
such as TXT records, allow a domain owner to store text information about the
domain. A single domain may have many records of varying types. For example,
your domain may have an A record pointing to the IP address of your web server
and CNAME records pointing to the cloud service that handles your email.
DNS records are managed using your DNS provider or host. Popular DNS providers
include DNSimple, GoDaddy, Rackspace, and Cloudflare, but there are many others.
These providers allow you to set and remove DNS entries for your domain.
DNS RECORDS AND EMAIL AUTHENTICATION
When working with an email provider such as Twilio SendGrid, you should be aware
of three types of email authentication: DomainKeys Identified Mail (DKIM),
Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting
& Conformance (DMARC). DKIM, SPF and DMARC are all implemented in part by
setting TXT records on your domain. DMARC is encouraged, but not a requirement
for email authentication.
DKIM
DomainKeys Identified Mail (DKIM) is an authentication method that uses
asymmetric encryption to sign and verify your email. With DKIM implemented, the
sending email server adds a cryptographic signature to your emails' headers. The
DKIM record is a TXT record that stores the DKIM public key. For more
information about how DKIM works, see DKIM Records Explained.
SPF
Sender Policy Framework (SPF) is an email authentication standard developed by
AOL that allows you to list all the IP addresses that are authorized to send
email on behalf of your domain. The SPF record is a TXT record that lists the IP
addresses approved by the domain owner. The receiving server can compare the
email sender’s actual IP address to the list in the SPF record. For more
information about how SPF works, see SPF Records Explained.
DMARC
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a
protocol that verifies the authenticity of an email's sender. It helps prevent
malicious senders from harming your sender reputation. DMARC provides a policy
to email service providers, instructing them on the actions to take when they
receive an email that fails SPF, DKIM, or both checks, and appears to be from
your domain—a sign it may be spoofed.
DMARC is an optional field for Sender Authentication. SendGrid suggests starting
with the simplest DMARC policy: v=DMARC1; p=none . However, your organization
may enforce a stricter policy, which you should then apply. Twilio SendGrid will
accept any valid DMARC policy during its verification process. For more
information on DMARC, please refer to the article, Everything about DMARC.
TWILIO SENDGRID'S DNS RECORDS
During Domain Authentication setup, Twilio SendGrid's automated security will be
enabled by default. If you leave automated security on, Twilio SendGrid will
provide you with CNAME records that must be added to your domain. If you turn
automated security off, you will be given one MX record and two TXT records
instead.
CNAME
As mentioned earlier, CNAME records link one domain to another domain. When
Twilio SendGrid gives you CNAME records during Domain Authentication, they point
to a domain Twilio SendGrid controls. This means that Twilio SendGrid can create
and update your SPF and DKIM records for you. For example, if you purchase a
dedicated IP address, Twilio SendGrid can add that address to your SPF
automatically.
The CNAME record also allows Twilio SendGrid to route our click and open
tracking statistics back to your Twilio SendGrid account where you can use them
to adjust more sending behavior.
MX
MX records specify the location of the server responsible for handling inbound
email for a domain. When automated security is turned off, Twilio SendGrid will
provide one MX record during Domain Authentication that must be added to your
domain. This record enables the return-path.
The return-path is an email header, and it defines an address that is separate
from your original sending address. The return-path address tells email servers
where to send feedback such as delayed bounces and unsubscribes.
TXT
TXT records allow you to add text information about your domain. DKIM and SPF
are both implemented using TXT records with specific formatting. With automated
security turned off, Twilio SendGrid will provide these TXT records to be added
to your domain.
When automated security is turned off, you must update the TXT records on your
domain manually when you make a change to your email configuration. For example,
when you add a new IP address to your account, your SPF TXT record will need to
be updated with the new IP information to prevent email delivery issues.
If you choose to brand links during Domain Authentication, you will be given two
additional CNAME records to support Link Branding. See our Link Branding
documentation for more information.
SET UP DOMAIN AUTHENTICATION
Each user may have a maximum of 3,000 athenticated domains and 3,000 link
brandings. This limit is at the user level, meaning each Subuser belonging to a
parent account may have its own 3,000 authenticated domains and 3,000 link
brandings.
BEFORE YOU BEGIN SETTING UP YOUR DOMAIN
To set up Domain Authentication, you must submit the DNS records provided by
Twilio SendGrid to your DNS or hosting provider. Popular DNS providers include
DNSimple, GoDaddy, Rackspace, and Cloudflare, but there are many others.
1. Determine who your hosting provider is and make sure you have the access
required to change your records.
2. If you don't have access to your DNS or hosting provider, determine who in
your company is able to make DNS modifications for your domain.
MANUAL OR AUTOMATED SETUP
If you already have a DNS record with a custom name on your domain, adding a new
record with a matching custom name will overwrite your existing DNS entry. This
can happen if you Use a custom return-path and set the name to one that already
exists in your DNS entries.
For example, let's assume you have a TXT record with the host email.example.com.
If you set a custom return-path of email during Domain Authentication, Twilio
SendGrid will create a record with the host email.example.com. When you complete
automatic Domain Authentication, your existing TXT record will be replaced with
Twilio SendGrid's record. This will likely break one of your existing services.
Be sure you are not completing Domain Authentication by using any custom names
that already exist for records on your domain before proceeding.
Twilio SendGrid supports Domain Connect, which can simplify the Domain
Authentication process.If we have partnered with your DNS provider to support
Domain Connect, you will have the option to authenticate with your DNS provider
and allow Twilio SendGrid to configure the DNS changes for you. Both automatic
and manual setup begin the same way with the "Setup steps required for both
automatic and manual setup" that follow.
SETUP STEPS REQUIRED FOR BOTH AUTOMATIC AND MANUAL SETUP
1. In the Twilio SendGrid App user interface (UI), select Settings > Sender
Authentication.
2. In the Domain Authentication section, click Get Started. The Authenticate
Your Domain page will load.
3. From the Authenticate Your Domain page, select your DNS host from the
drop-down menu below the text: Which Domain Name Server (DNS) host do you
use? You can select I'm not sure or Other Host (Not Listed) if necessary.
4. You can choose to set up Link Branding by choosing Yes below the text: Would
you also like to brand the links for this domain? If you choose No, you can
add Link Branding at a later time. Link Branding is not a required part of
the Domain Authentication process. See our Link Branding docs for more
information.
Link Branding is not currently supported by the automatic setup process. If you
choose to brand links during Domain Authentication, you must add the Link
Branding CNAME records to your domain manually.
5. Click Next. A second Authenticate Your Domain page will load.
6. From the new page, add the domain you want to authenticate below the text:
Domain You Send From. This will be the domain that appears in the from
address of your messages. For example, if you want your messages to be from
addresses like orders@example.com, you will authenticate example.com. Make
sure that you enter only your root domain <domain-name.top-level-domain>.
Do not include a subdomain or protocol such as www or http://www in this
field.
7. Select the Advanced Settings appropriate for your needs. Most customers can
leave Use automated security checked and continue. For more information
about advanced settings, see the "Advanced settings" section of this page.
8. Click Next. The Install DNS Records page will load.
9. The Twilio SendGrid App will now determine if we can automatically finish
the Domain Authentication process for you. If we can automatically finish
the setup, you will be taken to the Automatic Setup tab. If we cannot
automatically finish the setup, you will be taken to the Manual Setup tab.
10. If you cannot modify your domain's DNS records, you can email the records
to a colleague using the Send To A Coworker tab. The email includes a
direct link to the records. The recipient doesn't need to log in to your
Twilio SendGrid account.
Automated setup is currently available for GoDaddy only. We plan to add support
for additional DNS providers in the future.
AUTOMATED DOMAIN SETUP
If you already have a DNS record with a custom name on your domain, adding a new
record with a matching custom name will overwrite your existing DNS entry. This
can happen if you Use a custom return-path and set the name to one that already
exists in your DNS entries.
For example, let's assume you have a TXT record with the host email.example.com.
If you set a custom return-path of email during Domain Authentication, Twilio
SendGrid will create a record with the host email.example.com. When you complete
automatic Domain Authentication, your existing TXT record will be replaced with
Twilio SendGrid's record. This will likely break one of your existing services.
Be sure you are not completing Domain Authentication by using any custom names
that already exist for records on your domain before proceeding.
1. From the Automated Setup tab, click Connect.
2. A dialog box titled Connect <your DNS host> to Twilio SendGrid for this
domain will load.
3. A new window will also open where you can connect to your DNS host. In the
new window, log in to your DNS host and follow the instructions to connect
your domain.
4. Once you see a success message in the new window, you can close it.
5. In the Connect <your DNS host> to Twilio SendGrid for this domain dialog,
Twilio SendGrid will attempt to verify the correct setup of your DNS
records.
6. Once your Domain Authentication setup is verified, the dialog will close,
and you will see a success message in the Twilio SendGrid App UI.
7. If verification is not successful, try clicking Verify again in 48 hours. It
can take up to 48 hours for DNS changes to be applied. If you are still
unable to verify Domain Authentication after 48 hours, please contact Twilio
SendGrid support for help.
MANUAL SETUP
1. In the Manual Setup tab, you will see the DNS records that must be added
with your DNS host provider. If you left Use automated security checked
during the earlier configuration steps, you will have three CNAME records
and one TXT record. If you unchecked Use automated security, you will see an
MX record and three TXT records. For more information about these records,
see the "Twilio SendGrid's DNS records" section of this page.
2. Next, you will add the records displayed using your DNS provider. This
process varies depending on your DNS host. For videos on how to add records
with some popular DNS service providers, see these videos.
3. Once you add the DNS records to your domain, return to the Twilio SendGrid
App UI and click Verify.
4. You should now see the records verified successfully.
5. If only half of your records are verified, you likely need to wait a bit
longer. It's also possible that you entered one of your records incorrectly.
For other troubleshooting information, see Troubleshooting Sender
Authentication.
6. Any time that you send an email with a from address where the domain matches
your authenticated domain, Twilio SendGrid applies that domain to your
email. You only need to update your Domain Authentication if you want to
update the domain you are emailing from.
GoDaddy, Amazon Route 53, and Namecheap, among other providers, automatically
append your domain to your new DNS record values, resulting in a CNAME entry
that fails verification. For example, if your domain is example.com, and Twilio
SendGrid's CNAME host value is em123.example.com, the incorrect record will
become em123.example.com.example.com.
You can remedy this by pasting only the subdomain section of the host value,
em123, into your DNS provider's host field. You do not need to modify the value
of the record. Be sure to check your CNAME for this behavior if your domain
doesn't validate initially.
It can take up to 48 hours for the records to verify after you upload them into
your DNS host, so you will likely have to come back later to verify.
ADVANCED SETTINGS
During Domain Authentication setup, on the second Authenticate Your Domain page
where you enter your domain, there is a drop-down menu labeled Advanced
Settings. The following section explains each of these settings.
USE AUTOMATED SECURITY
Automated security is different from automatic setup. Automated security allows
Twilio SendGrid to handle the signing of your DKIM and the authentication of
your SPF with CNAME records. This allows you to add a dedicated IP address or
update your account without having to update your DNS records. For more
information about how this works, see the "Twilio SendGrid's DNS records"
section of this page.
Automated security defaults to On. If your DNS provider does not accept
underscores in CNAME records, you will have to turn automated security off and
use MX and TXT records.
If you turn off automated security, you are responsible for managing and
updating the MX and TXT records yourself.
USE A CUSTOM RETURN-PATH
You can use a custom return-path to customize the subdomain that tells receiving
email servers where to route delayed bounces and unsubscribes.
1. Select Use a custom return path and input letters or numbers to build a
custom return-path. If you don't select these, Twilio SendGrid automatically
selects them for you. Make sure the characters you select are different from
those that Twilio SendGrid assigned you initially.
USE A CUSTOM DKIM SELECTOR
You can set a custom DKIM selector if you want to authenticate a single domain
multiple times or if Twilio SendGrid's DKIM selector, s, is already in use by
another service. This works by adding the custom selector to the domain as a
custom subdomain.
1. Select Use a custom DKIM selector and input three letters or numbers to
build a custom subdomain. If you don't select these, Twilio SendGrid
automatically selects them for you. Make sure the three characters you
select are different from your original selection. For example, you could
use org or 001.
ASSIGN TO A SUBUSER
When you authenticate a domain on a parent account, you can assign it to a
Subuser. The Subuser will not see the authenticated domain assigned by the
parent. This is intentional and prevents a Subuser from editing or deleting an
authenticated domain from the parent or any other assigned Subusers.
The parent account owns the DNS records used to authenticate the domain and then
grants the Subuser permission to use the authenticated domain. Authentication
records are mapped to the account that creates them.
1. Select Advanced Settings below the From Domain field. This will be on the
second page of Domain Authentication setup in the Twilio SendGrid App.
2. Select Assign to a subuser.
3. A field will appear where you can select which Subuser to assign to the
authenticated domain.
You can modify a Subuser's Domain Authentication assignments in the Subuser
Management section of the Twilio SendGrid App. See our Subusers documentation
for more about Subusers.
DNS PROVIDERS SUPPORTED BY TWILIO SENDGRID'S AUTOMATED SETUP
Twilio SendGrid has partnered with the following DNS providers who support
Domain Connect to automate the Domain Authentication process.
* GoDaddy
MIGRATE FROM LEGACY DOMAIN AUTHENTICATION (DOMAIN WHITELABEL)
If you authenticated a domain (Whitelabel) before 2015, your domain will still
work. However, if you need to change or update it, you need to delete it and
recreate it as an authenticated domain in our new system.
ADDITIONAL RESOURCES
* Troubleshooting Sender Authentication
* How to set up link branding
* How to set up reverse DNS
* Configuring Sign in with Apple
Rate this page:
1 2 3 4 5
NEED SOME HELP?
We all do sometimes. Get help now from the Twilio SendGrid Support Team.
Running into a coding hurdle? Lean on the wisdom of the crowd by browsing the
SendGrid tag on Stack Overflow or visiting Twilio's Stack Overflow Collective.
* Terms of Service
* Privacy Policy
* Copyright © 2024 Twilio Inc.
Rate this page:
1 2 3 4 5
THANK YOU FOR YOUR FEEDBACK!
Please select the reason(s) for your feedback. The additional information you
provide helps us improve our documentation:
If applicable fill in the countries where you are using Twilio
Missing information or code
Content is confusing or hard to follow
Inaccurate or outdated information
Broken link or typo
Did not solve my problem
Content is easy to follow
Solved my problem
Other
Send your suggestions
NEED HELP? TALK TO SUPPORT
Protected by reCAPTCHA – Privacy - Terms
Sending your feedback...
🎉 Thank you for your feedback!
Something went wrong. Please try again.
THANKS FOR YOUR FEEDBACK!